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The Problem 



SIGINT is very good at 2 things: 

1. Establishing lists of potential leads (50-10k+) 

2. M anual analysis to vet individual targets 




Potential leads 
50-10k+ 
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Tradecraft 





A common model for identifier lead lists, today: 



gJSeed List 
i] Provided to 
SIGDEV 



™ Normalize 
w and Expand 
£ Selectors 



™ Foreignness 
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£ Compliance 
Check 
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I* SIGINT 
S Queries on 
£ Selector 
I activity and 
| behavior 
^ attributes 




???? 



Bulkenrichment of 
'SIGINT business knowledge' 



Manual analysis 
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Triage Today 




After initial enrichment checks, the analyst is often 
left with too many identifiers of "possible interest" 



No Further 
Analysis 
Needed 
20% 




Definite 
Interest (Pri 1) 
5% 




Percentages are conceptual 
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Bulk Lead Triage via Behavior Analytics 



Hundreds or thousands of selectors to go through high level vetting very quickly 

Better triage prioritization allows for highly adjustable thresholds to be set for 
follow -on analysis 

Compliance can be inserted at both the "batch result" and "query" level 
Potentially utilize multiple clouds & cross-enterprise analytics 




No Further 
Analysis Needed 
20% 



Definite Interest 
(Pri. 1) 
5% 




.ow Interest (Pri 
25.0 




Medium Interest 
(Pri 3) 
35% 



High Interest 
(Pri 2) 
15% 
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Identifier 'SIGINT Business' Enrichment 





Bulk gathering, via Identifier Scoreboard (phase2/phase3) 



Targeting 

Authorities 

Reporting 

Targets 

Knowledge 

Foreignness 

Compliance 



...not a raw 
SIGINT query 
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Add identifiers 



Change realm , pgiete 




Import identifiers 
Targeting tag 

nag 



Targeting category 



Query/criteria list 



Target 



I 

Targeting zipcode 



Priority Email 



]Retrleve up-to-date FOREMAN data Q Include cor^abtMU 



Clear Save Search 



SIGINT 



Targeting 


Foreignness 


Knowledge 






[3 Normalized lidentifrer 


Comms 


PSC 


Tip 


TAO 


CNE 




CONTRAOCTAVE 


FOREMAN 


Comments 


Location 


Reports 


Actions 
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n/a Lfnkonn 
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E * x 
















(S2I1J) 
B : (F52) 


n/a 


Unkown 












s iHIIIIIIIIIIIIIIIIIIIIIH 


4 


n/a Unkown 
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ES * >< 





Last Updated; JOI7 MUr 01 09:58:46 Z 



Displaying 1-100 of 1S4 page 1 of 2 ► rl 
Dynamic Page - Highest Possible Classification Is TOP SECRET/ /SI //REL TO USA, FVEV 
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'Yes/No' Identifier Behavior 



i BR, NZL 




Bulk triage, via SIGINT Analytics M ode (start of phase 4) 



Core set of 
'yes/ no' 
behavioral 
questions 
about a set of 
identifier leads 




...against raw 
SIGINT! 




Dynamic Page ■ Highest Possible Classification Is TOP 




e 1 1 Inl i lu 

Has this identifier been In direct communications 
with ■ targeted) Identifier? 

Identifier! supported: (Ml aw ON a 

Legal authorities: EOiJ3JJ_S, e£31I333_!l, F«_7M_CP, FAA_ 
rZ2 CI. fAA_02_FC, FAA 704/ JOS B 

Result* updated: Daer 
more... £ 



« rgeted contact? In caplu red .(Jeffis.? 

n/a n/a 



y,l hOO > TP £ 

;name> TPfc? 




Flrtf heard; 03 Dec 2011 
L*n heard: 29 Feb 2012 



First heard: 75 Oct JDtl 
Last heard! no Mar ?C1? 



n/a 



n/a 
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SIGINTAnalytics Mode 



Triage by aggregate behaviors 
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NomulkKd identifier 




V-... d*wilerj jrljlytic rftulti 




2 

rVa 
4 



4 

9 
2 

J 



SMfSCT. Cflfflnw wij^ larger.? 



Tjrgi-t>- 

cyahw> TP ^ 

- elm imc • l •• t? 

First heard: J5 Oct 2011 
Latt heard: h,k ;>n ] ? 



Tarsaed Contact? In Captured Medu? 

n/a rt o 



n/ a 



First heard; 03 Dec Z011 
Last heard: 29 Feb 2912 



Se 



I 



One column per 'yes/no' question 

Quickly zero in on worthy leads 
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SIGINT Analytics M ode - Detailed View 



S«n in captured medal (no resu its) 

SccfLIO-CNE? 

Seen m France? 

Seen en o targeted nwidtr'i contatt i • i'-js i ijrgcted wrtwaT 



Had direct communications with a targeted identifier? 

full heard: 2015-MarOl 06:58:42 Z UN h«idi Z01Z-MarO5 07:55:40 Z 

Exits »■ Description 



JOU Nar-05 07:55:40 Z 



WUW i W CW:b8:46Z 



VM I f 03 10:56:4} z 



1012 HW 01 06:58:4? Z 



frjck to Ho 



msruHsspof t > cCd email to| 
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< yahoo • e? uuto ^^^^^^^^^^^^^H 

sicad/podc: ds ;oo*j < :■] 

Case notation |^^^^^| 

Legal autnonty category: EO] J333 



:■ if w.v. bee'd on email Irom 
■ * 



t msnoa4Si»ft> & reserved email from 
ImsfiMiKKniJ i? 



SIGAD/PDOG : PS- ZOO* j C 4 

Cue natation ^il^il^H 

Legal authority category: E01Z333 



SIGAD/PODG : DS-ZOOB / C4 
Case notation 

Legal authority category: e01!33) 



<msiipjiiosrts i? sent email to| 



<iibw* IB WW M 

SIG4D/PW3C: US-3I7I / ia 

Case notation :^ 

Legal authority category: E01Z333 
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SIGINT Analytics M ode - Detailed View 




Had direct communications with a targeted identifier? 
First h«ard; 2012-Mar-Ol 0«:58;«2 2 Last heard: i0l2-Mar-05 07:55:40 2 
Date t Description 

2012 Mar -OS 07:SS:4O Z 




LIUID) 

5IGAD/ PDDG : DS-20OA / C 4 
Case not .:itlornB 

Legal authority category: ECU 2333 



2012-Mar-OJ 09:58:46 2 



2Q12-M3r-a2 10:56:43 Z 



2012 Mar 01 OS: 58:42 Z 



IS? was bcc'd on email from 



I BP received email from 



C? sent email lot 



i d : mumiiiiiiiiiiiiiiiH 

SIG AD/ PDDG : D5-20OA / C4 
Case notatlon:^H 

Legal authority category: E012333 



UULU:H 

SlGAD/PDDG: DS-200B / C4 
Case flotation i 
Legal authors category: 6012333 



SK3AO/l>DD6i US-3171 /T8 
Case notation i| 

Legal authority categcuy: £012333 



■ to top 




I 0t 




Go view target knowledge Go view content Add new knowledge 



External links to guide next steps in analysis 
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ECHOBASE Analytics Architecture 



Initial set of analytic questions 

• M ost running within GHOSTM ACHINE framework 
• Limited contributors 



Daily Feeds 



Targeting 







OCTAVE 




UTT 





GHOSTM ACHINE Analytic Engine provides 
• QFD hosting of analytic results 
RESTful query interface 



Targeted 
identifiers 



Future analytics 

• multiple organizations/ 
frameworks 
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2012 Olympics Sharing 
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2012 Olympics Support 



NSA SID Leads Evaluation Cell 

• Triage of Olympics-based leads through the event 

• Leverage both NSA and GCHQ-produced analytics 



• Greater SID-wide usage following the Olympic period 
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Contact/Information 



- Briefers: 




